* [PATCH] ppp: Add upstream patch to fix bounds check in EAP code.
@ 2020-02-22 14:02 Stefan Schantl
0 siblings, 0 replies; only message in thread
From: Stefan Schantl @ 2020-02-22 14:02 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2783 bytes --]
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
lfs/ppp | 1 +
....8-pppd-fix-bounds-check-in-eap-code.patch | 35 +++++++++++++++++++
2 files changed, 36 insertions(+)
create mode 100644 src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch
diff --git a/lfs/ppp b/lfs/ppp
index 607765bd0..cbac95067 100644
--- a/lfs/ppp
+++ b/lfs/ppp
@@ -79,6 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.7-headers_4.9.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch
cd $(DIR_APP) && sed -i -e "s+/etc/ppp/connect-errors+/var/log/connect-errors+" pppd/pathnames.h
cd $(DIR_APP) && ./configure --prefix=/usr --disable-nls
cd $(DIR_APP) && make $(MAKETUNING) CC="gcc" RPM_OPT_FLAGS="$(CFLAGS)"
diff --git a/src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch b/src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch
new file mode 100644
index 000000000..858769f48
--- /dev/null
+++ b/src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch
@@ -0,0 +1,35 @@
+commit 8d7970b8f3db727fe798b65f3377fe6787575426
+Author: Paul Mackerras <paulus(a)ozlabs.org>
+Date: Mon Feb 3 15:53:28 2020 +1100
+
+ pppd: Fix bounds check in EAP code
+
+ Given that we have just checked vallen < len, it can never be the case
+ that vallen >= len + sizeof(rhostname). This fixes the check so we
+ actually avoid overflowing the rhostname array.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel(a)ioactive.com>
+ Signed-off-by: Paul Mackerras <paulus(a)ozlabs.org>
+
+diff --git a/pppd/eap.c b/pppd/eap.c
+index 94407f5..1b93db0 100644
+--- a/pppd/eap.c
++++ b/pppd/eap.c
+@@ -1420,7 +1420,7 @@ int len;
+ }
+
+ /* Not so likely to happen. */
+- if (vallen >= len + sizeof (rhostname)) {
++ if (len - vallen >= sizeof (rhostname)) {
+ dbglog("EAP: trimming really long peer name down");
+ BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+ rhostname[sizeof (rhostname) - 1] = '\0';
+@@ -1846,7 +1846,7 @@ int len;
+ }
+
+ /* Not so likely to happen. */
+- if (vallen >= len + sizeof (rhostname)) {
++ if (len - vallen >= sizeof (rhostname)) {
+ dbglog("EAP: trimming really long peer name down");
+ BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+ rhostname[sizeof (rhostname) - 1] = '\0';
--
2.25.0
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-02-22 14:02 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-22 14:02 [PATCH] ppp: Add upstream patch to fix bounds check in EAP code Stefan Schantl
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox